search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.07k stars 739 forks source link

qiling not recognize CMOVZ series? #1149

Open duo opened 2 years ago

duo commented 2 years ago

*Describe the bug qiling not recognize CMOVZ series?

Sample Code

__text:000000010127AED0                 lea     rdi, [rbp+var_54A0]
__text:000000010127AED7                 mov     [rbp+var_22E0], rdi
__text:000000010127AEDE                 mov     rax, [rbp+var_22E0]
__text:000000010127AEE5                 call    sub_1012BD8F2
__text:000000010127AEEA                 lea     rdi, [rbp+var_5488]
__text:000000010127AEF1                 mov     [rbp+var_22E8], rdi
__text:000000010127AEF8                 mov     rax, [rbp+var_22E8]

__text:000000010127B225                 mov     [rax+rdx], cl
__text:000000010127B228                 inc     rax
__text:000000010127B22B                 cmp     rax, 4
__text:000000010127B22F                 mov     ecx, 6EA755C0h
__text:000000010127B234                 mov     edx, 0C7FC21BEh
__text:000000010127B239                 cmovz   ecx, edx
__text:000000010127B23C                 mov     [rbp+var_324], ecx
__text:000000010127B242                 mov     [rbp+var_1B20], rax
__text:000000010127B249                 jmp     loc_10127B0C8

Actual behavior

[INFO][qilingida:1393] A block with only one instruction which is `mov #imm, reg` at 0x10127b239.
[WARNING][qilingida:1371] The address 0x10127aeea where jmp_mbb goes isn't pre_dispatcher or dispatcher block!
[INFO][qilingida:1432] Switch the jmp_bb and next_bb and try again...
[WARNING][qilingida:1360] jmp_mbb at 0x10127b239 the opcode of last instruction  mov         #0xC7FC21BE.4     ,   ecx.4 isn't goto
[ERROR][qilingida:1436] Fail to identify microcode blocks at 0x10127b239
[WARNING][qilingida:1519] Fail to force execution by microcode at 0x10127b239, trying legacy approach
Traceback (most recent call last):
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 809, in activate
    self.action_handler.ql_handle_menu_action(self.action_type)
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 2096, in ql_handle_menu_action
    [x.handler() for x in self.menuitems if x.action == action]
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 2096, in <listcomp>
    [x.handler() for x in self.menuitems if x.action == action]
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1840, in ql_deflat
    if not self._search_path():
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1656, in _search_path
    ql.run(begin=ql_bb_start_ea, end=0, count=0xFFF)
  File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core.py", line 572, in run
    self.os.run()
  File "C:\Program Files (x86)\Hex-Rays IDA Professionalpython-3\Lib\site-packages\qiling\os\macos\macos.py", line 207, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core.py", line 708, in emu_start
    raise self._internal_exception
  File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\utils.py", line 37, in wrapper
    return func(*args, **kw)
  File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core_hooks.py", line 91, in _hook_trace_cb
    ret = hook.call(ql, addr, size)
  File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core_hooks_types.py", line 25, in call
    return self.callback(ql, *args)
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1520, in _guide_hook
    result = self._force_execution_by_parsing_assembly(ql, ida_addr)
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1469, in _force_execution_by_parsing_assembly
    reg2_val = ql.arch.regs.__getattribute__(reg2)
AttributeError: 'QlRegisterManager' object has no attribute 'edx'
xwings commented 2 years ago

Can u try that in unicorn 2 rc7 ?

duo commented 2 years ago

Can u try that in unicorn 2 rc7 ?

I already installed unicorn-2.0.0rc7 This error occur with this unicorn version

elicn commented 2 years ago

This doesn't look like a UC bug, neither Qiling's. This is a qilingida bug, which seems to be left unmaintained for a long time..

wtdcode commented 2 years ago

But note it's weird that looking for edx fails, @elicn is ql.arch.regs.__getattribute__(reg2) usage supported?

elicn commented 2 years ago

No, it doesn't. It should have been __getattr__ or simply []. idaqiling code needs a decent refactor, but I don't have an IDA license to test it.

duo commented 2 years ago

No, it doesn't. It should have been __getattr__ or simply []. idaqiling code needs a decent refactor, but I don't have an IDA license to test it.

I replaced the __getattribute__ with __getattr__ in qilingida.py

__text:000000010127B6E5                 mov     r12b, 1
__text:000000010127B6E8                 test    r12b, r14b
__text:000000010127B6EB                 cmovnz  rbx, [rax+10h]
__text:000000010127B6F0                 mov     rdi, r15
__text:000000010127B6F3                 call    sub_101279ED2
[WARNING][qilingida:1384] next_mbb at 0x10127b6eb the opcode of first instruction  ldx     ds.2  ,    (rax.8{42}+ #0x10.8    )     ,   rbx.8 isn't mov
[INFO][qilingida:1432] Switch the jmp_bb and next_bb and try again...
[WARNING][qilingida:1360] jmp_mbb at 0x10127b6eb the opcode of last instruction  ldx     ds.2    ,    (rax.8{42}+ #0x10.8    )     ,   rbx.8 isn't goto
[ERROR][qilingida:1436] Fail to identify microcode blocks at 0x10127b6eb
[WARNING][qilingida:1521] Fail to force execution by microcode at 0x10127b6eb, trying legacy approach
Traceback (most recent call last):
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 809, in activate
    self.action_handler.ql_handle_menu_action(self.action_type)
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 2098, in ql_handle_menu_action
    [x.handler() for x in self.menuitems if x.action == action]
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 2098, in <listcomp>
    [x.handler() for x in self.menuitems if x.action == action]
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1842, in ql_deflat
    if not self._search_path():
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1658, in _search_path
    ql.run(begin=ql_bb_start_ea, end=0, count=0xFFF)
  File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core.py", line 572, in run
    self.os.run()
  File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\os\macos\macos.py", line 207, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
  File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core.py", line 708, in emu_start
    raise self._internal_exception
  File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\utils.py", line 37, in wrapper
    return func(*args, **kw)
  File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core_hooks.py", line 91, in _hook_trace_cb
    ret = hook.call(ql, addr, size)
  File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core_hooks_types.py", line 25, in call
    return self.callback(ql, *args)
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1522, in _guide_hook
    result = self._force_execution_by_parsing_assembly(ql, ida_addr)
  File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1470, in _force_execution_by_parsing_assembly
    reg2_val = ql.arch.regs.__getattr__(reg2)
  File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\arch\register.py", line 41, in __getattr__
    return super().__getattribute__(name)
AttributeError: 'QlRegisterManager' object has no attribute '[rax+10h]'
elicn commented 2 years ago

This is essentially broken; the code cannot just parse that string as-is. The code needs to break the memory dereference to its elements and calculate the result (similar to what we do in the trace extension).